d6afcce63997e5f072c32edcc0409fdcd3fe695468933c4e7271e9ddcf471ee5

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-03-2024 08:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be2200f8a4cc7c28ff19270892118293.exe
Size

624KB
MD5

be2200f8a4cc7c28ff19270892118293
SHA1

cfa00c4099caa993cbea984fc576f67e89134c92
SHA256

d6afcce63997e5f072c32edcc0409fdcd3fe695468933c4e7271e9ddcf471ee5
SHA512

3ab366dcdc803b724b250ba592e4d10c7c7cd327226609f13a442048c7dfd46a23c7a0a06a3c2bce036abf16d22826017b560e1e74e22ba5834bb54d763758e0
SSDEEP

12288:WOwNxGUDwMeIkZajwu4diroeJsISWAT4lFMvwmb1TLnWI5NVmpI:WOsxGUDIa0ZirRsrWAT4lFWwmb1/WYNT

Score

7^/10

aspackv2 persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000700000002320e-70.dat	acprotect

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000700000002320d-54.dat	aspack_v212_v242
behavioral2/files/0x0007000000023210-64.dat	aspack_v212_v242

Executes dropped EXE 5 IoCs

pid	Process
4912	dtxservice.exe
3512	fps.exe
3664	mps.exe
4408	iss32.exe
2760	CRSS.EXE

Loads dropped DLL 2 IoCs

pid	Process
2760	CRSS.EXE
4912	dtxservice.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000700000002320f-59.dat	upx
behavioral2/memory/4408-60-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral2/memory/4408-62-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral2/files/0x000700000002320e-70.dat	upx
behavioral2/memory/4912-78-0x0000000010000000-0x0000000010009000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\dtxservice.exe -atm"	be2200f8a4cc7c28ff19270892118293.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dtxservice.exe	be2200f8a4cc7c28ff19270892118293.exe
File opened for modification	C:\Windows\SysWOW64\dtxservice.exe	be2200f8a4cc7c28ff19270892118293.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\CRSS.EXE	dtxservice.exe
File created	C:\Windows\kdd32.atm	dtxservice.exe
File created	C:\Windows\kt.atm	dtxservice.exe
File created	C:\Windows\fps.atm	fps.exe
File opened for modification	C:\Windows\ktd32.atm	dtxservice.exe
File created	C:\Windows\icq.dll	dtxservice.exe
File created	C:\Windows\iss32.exe	dtxservice.exe
File created	C:\Windows\mps.atm	mps.exe
File opened for modification	C:\Windows\ktd32.atm	CRSS.EXE
File created	C:\Windows\fps.exe	dtxservice.exe
File created	C:\Windows\mps.exe	dtxservice.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4664	be2200f8a4cc7c28ff19270892118293.exe
4664	be2200f8a4cc7c28ff19270892118293.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2760	CRSS.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4664 wrote to memory of 4912	4664	be2200f8a4cc7c28ff19270892118293.exe	87
PID 4664 wrote to memory of 4912	4664	be2200f8a4cc7c28ff19270892118293.exe	87
PID 4664 wrote to memory of 4912	4664	be2200f8a4cc7c28ff19270892118293.exe	87
PID 4912 wrote to memory of 3512	4912	dtxservice.exe	90
PID 4912 wrote to memory of 3512	4912	dtxservice.exe	90
PID 4912 wrote to memory of 3512	4912	dtxservice.exe	90
PID 4912 wrote to memory of 3664	4912	dtxservice.exe	91
PID 4912 wrote to memory of 3664	4912	dtxservice.exe	91
PID 4912 wrote to memory of 3664	4912	dtxservice.exe	91
PID 4912 wrote to memory of 4408	4912	dtxservice.exe	92
PID 4912 wrote to memory of 4408	4912	dtxservice.exe	92
PID 4912 wrote to memory of 4408	4912	dtxservice.exe	92
PID 4912 wrote to memory of 2760	4912	dtxservice.exe	93
PID 4912 wrote to memory of 2760	4912	dtxservice.exe	93
PID 4912 wrote to memory of 2760	4912	dtxservice.exe	93

C:\Users\Admin\AppData\Local\Temp\be2200f8a4cc7c28ff19270892118293.exe
"C:\Users\Admin\AppData\Local\Temp\be2200f8a4cc7c28ff19270892118293.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4664
- C:\Windows\SysWOW64\dtxservice.exe
  C:\Windows\system32\dtxservice.exe -atm
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4912
- - C:\Windows\fps.exe
    C:\Windows\fps.exe /stext C:\Windows\fps.atm
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:3512
- - C:\Windows\mps.exe
    C:\Windows\mps.exe /stext C:\Windows\mps.atm
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:3664
- - C:\Windows\iss32.exe
    C:\Windows\iss32.exe
    3⤵
    - Executes dropped EXE
    PID:4408
- - C:\Windows\CRSS.EXE
    C:\Windows\CRSS.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\CRSS.EXE

Filesize
13KB

MD5
067c3c377e0346290862dc8791e81fb0

SHA1
9a4d3a6ad5fd102eb32a6f1229c80c15dc495409

SHA256
18cbf1415419f9f27425cea06c32e9a2f041ec52a39d78d58922efbb698b9d76

SHA512
0c0f0a1e4144accb97d159096cbd4003e77ca0ac792727002c2fe402dc12471a16e90ae3622f1f96d25a333af36a4dccbe80a6689bed080ba32e28dd845960aa

Download Submit
C:\Windows\SysWOW64\dtxservice.exe

Filesize
64KB

MD5
de5c48611965d99f153c31f576ae0601

SHA1
a5c3e974856534ee040a6fb3169f36a865d43ed1

SHA256
243832d43ee3f3282fcfae3a9e0c471b093c9e6ad4a7e099323f71446eaa8815

SHA512
5c36efaefba2452f8c729654a317f2e12b611d728780af95893ec68d413c4d196be3d69d9bb69018362adc0cd1c2a9dcd0d52667fff03a0a65b942d1cdb66724

Download Submit
C:\Windows\SysWOW64\dtxservice.exe

Filesize
128KB

MD5
b38cdebbe91255642c167aa2664ea2cb

SHA1
e9673dc916925c68ac7d9609e76cf6df6387320a

SHA256
12c46419ebed7b3de3fe28840b068e6d53e165e7eb6fa363fbee031004439634

SHA512
d128adffd5a37ad4e28b87287e9baf1887e98618f5b124676c85c3303ecd7b766f89c6fe2d4761c3866c7f1af31f3eb977742d09344bc4f7e06737b418228c74

Download Submit
C:\Windows\fps.exe

Filesize
14KB

MD5
16d0b87ea242e563ccbf13fbfc279915

SHA1
a56a456b48f5318ca57cce4d75e2f0e3493850d4

SHA256
1a4cef71598d42e1765c89fa5f0d91141e313c89d25418d7dc5e2b4b9bfc07aa

SHA512
ee9b92a5c17bcf17812d18bb9f0e993537a9a1c1bb4938442aef9005046c4547be61380cf5cf01c7a710b07d5d0e116a4a8e8263d3ad73fef1e0c1de196f6cc0

Download Submit
C:\Windows\icq.dll

Filesize
7KB

MD5
07fbfe41f346165ddf49ff1a0efac0c6

SHA1
10355863e48ab258fcd9e2db2218d717b9b95d5e

SHA256
fbc2717905a942d8489c66603c03ffcc94e7b643caa3e343a7b4d4da5f115093

SHA512
2893228f10fb1c41dcafe4132d25e9cf42af608168a5726961e0030334dd57e697d99998032bb50710ea27463fb6c9899341b0cf2a004bedac7cbb0aea00a2e4

Download Submit
C:\Windows\iss32.exe

Filesize
3KB

MD5
d36a7e657fb830da92a59bccb67948a5

SHA1
730d2499b9ffffa7a3e29b9f973728f2c9547827

SHA256
0f855337f81800b5df27abd91f85c9a4187ac553e0a65b2a9719d5db1df08b39

SHA512
0a24a2f87fcf35937520bde130862af7f40b3fcb29c8f09a197faa5e11a33b7db35b765b2494f719b28ef51060add5324aff441a825a3c87287fa64665e140c8

Download Submit
C:\Windows\kdd32.atm

Filesize
8KB

MD5
51abb91f79fc8057f9ac61877fb480d5

SHA1
42790a05bb6cc05292977d70bf9ae60350aca1d7

SHA256
6bd988e0c55f611e20ff740c76870dc892505725e9852580fe23bade1a8978fa

SHA512
4b115ec069cecd082e72c5728aab8902ee018705ed9ad11731e47efd0f6d5d8e2412485d4713cb4ab20bfdd3d03f5919b2bb60a361af6ac69e7566a4fc015413

Download Submit
C:\Windows\kt.atm

Filesize
29B

MD5
d4d0a66ac4c1820c90f62f77099b547a

SHA1
c8f96649ec9865804efc925472b931005925f3ff

SHA256
997394c51fb18768bbb7a8e6cfe7bdec1efa0bdd82ed3507f3f1cc46ab459ff1

SHA512
9ab9b7d786bdbd2e5bd596060930c64ee1496cbdf423bd283fbecee13501adeb149d4aa7290d410dd153a255ef6513e6a8356a88740efa4badb3190fb5388ebb

Download Submit
C:\Windows\mps.exe

Filesize
17KB

MD5
4bad43105d4d557ae90d2f094e4bb833

SHA1
1d80ae0e7806c6cb2425131604373acb62ef8991

SHA256
918d1c42a73d79c4296f8fe3683070803916df4f5a236e84aabf665215e266e2

SHA512
278a11bb0fb2f17b91e1dc63d6b9a6376c332a41fdcedcd55d96b208b39b769e7edd1f41a614a80e24f409ba098a06b3da6848a6ab9ad0ff37e5154376ef681c

Download Submit
memory/2760-67-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2760-92-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3512-52-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3664-56-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3664-57-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4408-60-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4408-62-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4664-27-0x0000000002970000-0x0000000002971000-memory.dmp

Filesize
4KB

Download
memory/4664-14-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/4664-22-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/4664-23-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/4664-26-0x0000000002730000-0x0000000002731000-memory.dmp

Filesize
4KB

Download
memory/4664-0-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/4664-25-0x0000000002680000-0x0000000002681000-memory.dmp

Filesize
4KB

Download
memory/4664-24-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/4664-18-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

Filesize
4KB

Download
memory/4664-29-0x0000000002340000-0x000000000238C000-memory.dmp

Filesize
304KB

Download
memory/4664-1-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/4664-28-0x00000000027E0000-0x00000000027E1000-memory.dmp

Filesize
4KB

Download
memory/4664-2-0x0000000002340000-0x000000000238C000-memory.dmp

Filesize
304KB

Download
memory/4664-3-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/4664-4-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/4664-5-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/4664-6-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/4664-8-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/4664-21-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/4664-9-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/4664-7-0x0000000002AC0000-0x0000000002AC2000-memory.dmp

Filesize
8KB

Download
memory/4664-20-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/4664-10-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download
memory/4664-11-0x0000000002B10000-0x0000000002B11000-memory.dmp

Filesize
4KB

Download
memory/4664-15-0x0000000002B20000-0x0000000002B21000-memory.dmp

Filesize
4KB

Download
memory/4912-34-0x0000000003980000-0x0000000003981000-memory.dmp

Filesize
4KB

Download
memory/4912-86-0x0000000005120000-0x0000000005121000-memory.dmp

Filesize
4KB

Download
memory/4912-50-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/4912-47-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/4912-44-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/4912-36-0x00000000039A0000-0x00000000039A1000-memory.dmp

Filesize
4KB

Download
memory/4912-37-0x0000000003990000-0x0000000003991000-memory.dmp

Filesize
4KB

Download
memory/4912-35-0x0000000003970000-0x0000000003971000-memory.dmp

Filesize
4KB

Download
memory/4912-32-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/4912-33-0x0000000002E30000-0x0000000002E31000-memory.dmp

Filesize
4KB

Download
memory/4912-71-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/4912-31-0x00000000007F0000-0x000000000083C000-memory.dmp

Filesize
304KB

Download
memory/4912-74-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/4912-75-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/4912-76-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/4912-77-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/4912-78-0x0000000010000000-0x0000000010009000-memory.dmp

Filesize
36KB

Download
memory/4912-79-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/4912-80-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/4912-81-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/4912-87-0x0000000005150000-0x0000000005151000-memory.dmp

Filesize
4KB

Download
memory/4912-51-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/4912-85-0x0000000005130000-0x0000000005131000-memory.dmp

Filesize
4KB

Download
memory/4912-84-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/4912-83-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/4912-82-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/4912-89-0x0000000005160000-0x0000000005161000-memory.dmp

Filesize
4KB

Download
memory/4912-88-0x0000000005140000-0x0000000005141000-memory.dmp

Filesize
4KB

Download
memory/4912-90-0x00000000007F0000-0x000000000083C000-memory.dmp

Filesize
304KB

Download
memory/4912-91-0x0000000005170000-0x0000000005171000-memory.dmp

Filesize
4KB

Download
memory/4912-30-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/4912-93-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/4912-96-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/4912-99-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/4912-102-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/4912-105-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/4912-108-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/4912-111-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/4912-114-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/4912-117-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/4912-120-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/4912-123-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/4912-126-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/4912-129-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download